Policy-Discussion

[Ian G <iang AT cacert.org>]

On 11/11/11 03:59 AM, Michael Tänzer wrote:

Key Usage:
Why not all four Key Usages?
* digitalSignature
* nonRepudiation
* keyEncipherment
* dataEncipherment
This should allow me to use it for email; place a digital signature like on
Adobe docs; tell the user I am who the certificate says (nonRepudiation); Key
exchange (keyEncipherment); encryption (dataEncipherment). I have a need for
all four.

nonRepudiation is actually reserved not for normal signatures but things
like time stamping services. If you just want to sign a document the
digitalSignature should be enough. The spec is quite fuzzy around the
use of nonRepudiation thus it's quite easy to misunderstand and the
interpretation space is huge. The presence of the flag is interpreted by
some as the signer is entering into a contract that is legally binding
but you probably don't want that flag on all certs, so either leave it
out generally or make it optional to include on request time (but that
would need some coding that probably has to wait)

http://www.cacert.org/policy/CertificationPracticeStatement.php

Non-repudiation applications. Non-repudiation is not to be implied from use of CAcert certificates. Rather, certificates may provide support or evidence of actions, but that evidence is testable in any dispute.

question then is, does any software require nonRepudiation?  And what for?

iang